For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kalicut_48905's avatar
kalicut_48905
Icon for Nimbostratus rankNimbostratus
Feb 26, 2009

iRules HTTPS drop request

Hi,   We placed an iRule to redirect any traffic other than that comes to URI /PUBLIC/* to go thru HTTPS.     when HTTP_REQUEST {   if { not ([HTTP::uri] starts_with "/PUBLIC") ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Feb 26, 2009
Hi Ram,

Do you have this iRule added to the HTTP VIP? Do you have a default pool on the HTTP VIP?

Can you add logging to the iRule: 

 
 when HTTP_REQUEST { 
  
    log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP request to [HTTP::host][HTTP::uri]" 
  
     Check if requested path does not start with /PUBLIC 
    if { not ([HTTP::path] starts_with "/PUBLIC") } { 
  
       log local0. "[IP::client_addr]:[TCP::client_port]: Redirecting to https://[HTTP::host][HTTP::uri]" 
  
        Redirect non-public requests to the same host/URI but via https 
       HTTP::redirect "https://[HTTP::host][HTTP::uri]" 
    } 
 }

One thing to be aware of is if you're trying to prevent a client from submitting sensitive data via HTTP and the client is being directed to make a request via HTTP (ex: form action=http://...) they'll already have exposed the sensitive data by the time you redirect them to HTTPS.

Aaron